[Samba] RE: Samba and ADS authentication - can't change file permissions

Ross Smith Ross.Smith at robinsons.com
Tue Feb 26 15:35:32 GMT 2008

Hey folks,

I could do with some more help on this, if anybody could point me in the
right direction it would be appreciated.

The basic problem is that any attempt to change permissions on a file
from a windows workstation results in an "Access Denied" error.  While
looking into it, I found that I'm getting a large number of
NT_STATUS_LOGON_FAILURE messages in the Samba logs.

I'm running Samba on Solaris 10, using the built in version of Samba
(3.0.25a), and I'm attempting to get Samba running on a Windows 2000
domain with ADS authentication.  All the files are stored locally on a
ZFS volume.  Samba appears to have joined the domain ok, and I think
Kerberos authentication is working, but if you can think of anything I
should check, no matter how basic, please let me know as I'm very new to

I'm now in a position that I can browse the Samba shares from a windows
workstation.  I can also view and edit files, and I can view file
permissions  I can also use the windows "Computer Management" tool to
view the shares, and even manage share permissions on the Samba box.
However, any attempt to change file permissions results in an "Access
Denied" error on the Windows XP client.

Checking the logs, it also appears I am still getting a large number of
NT_STATUS_LOGON_FAILURE messages.  Just reading a file generates 5 of
these errors, so I'm wondering if the only reason I can read anything
from my windows clients is because I've been rather liberal with file
permissions while testing this.

I've read all the documentation I can find, and all the tests in the
Samba how to guide appear to work.  I tested Kerberos by using
"smbclient -k \\\\server\share" and can browse my windows servers fine.

When I connect and read a file, Samba logs this:
[2008/02/26 13:26:16, 1] smbd/service.c:(1033)
  rob-055 ( connect to service samba initially as user
ROBINSONS\ross smith (uid=100001, gid=100005) (pid 5413)
[2008/02/26 13:26:17, 1] smbd/sesssetup.c:(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/02/26 13:26:17, 1] smbd/sesssetup.c:(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/02/26 13:26:17, 1] smbd/sesssetup.c:(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

Permissions on my test file are currently as follows:
# ls -v test.txt
-rwxrwxrwx+  1 ross smith domain users      21 Feb 26 13:18 test.txt

My krb5.conf file is:
default_realm = ROBINSONS.COM
dns_lookup_kdc = true

kdc =
admin_server =

.robinsons.com = ROBINSONS.COM
robinsons.com = ROBINSONS.COM

And smb.conf is:
workgroup = ROBINSONS
bind interfaces only = yes
interfaces = CLUSTER1/
netbios name = CLUSTER1
security = ADS
password server = ROB-010.ROBINSONS.COM
server string = Samba (%v) domain (%h)
pid directory = /globalfs/samba-config/cluster1/var/locks
log file = /globalfs/samba-config/cluster1/logs/log.%m
smb passwd file = /globalfs/samba-config/cluster1/private/smbpasswd
private dir = /globalfs/samba-config/cluster1/private
lock dir = /globalfs/samba-config/cluster1/var/locks
;don't know what this does, but it solved somebody's problem where
netbios name didn't work but IP did
msdfs root = yes

winbind cache time = 30
;See if this helps us setting ACL's
nt acl support = yes
;May need this for getent passwd to work
;winbind separator = +
;AD needs encrypted passwords
encrypt passwords = yes
allow trusted domains = no
;idmap backend = rid:ROBINSONS.COM=100000-200000
idmap uid = 100000-200000
idmap gid = 100000-200000
winbind enum groups = yes
winbind enum users = yes
;winbind use default domain = yes

# Shares section

comment = Monitor directory for Sun Cluster
path = /tmp
browseable = No

comment = Main share
path = /globalfs/SAMBAshare
writeable = yes
nt acl support = yes

path = /globalfs/SAMBAshare
public = yes
only guest = yes
force directory mode = 777
delete readonly = yes
create mode = 777
wide links = no
force create mode = 777
directory mode = 777
writeable = yes
write list = @"everyone"

path = /globalfs/SAMBAshare
read only = no
browseable = yes
user = @"root"

path = /globalfs/SAMBAshare
read only = no
browseable = yes
user = @"ROBINSONS+domain users"

-----Original Message-----
From: samba-bounces+ross.smith=robinsons.com at lists.samba.org
[mailto:samba-bounces+ross.smith=robinsons.com at lists.samba.org] On
Behalf Of Ross Smith
Sent: 22 February 2008 10:52
To: samba at lists.samba.org
Subject: [Samba] RE: Samba and ADS authentication problems

Bleh, sorry folks.  Two days troubleshooting this and I find the problem
ten minutes after posting.  Fixed it by synchronising the time with the
PDC and rebooting the Solaris box.  All my users are listed fine now in
"getent passwd", and I can browse to the shares.
... now I just need to work out how on earth I grant file permissions to
my windows users.


From: Ross Smith
Sent: 22 February 2008 09:51
To: 'samba at lists.samba.org'
Subject: Samba and ADS authentication problems

Hey folks,
I'm having trouble with AD integration with the version of Samba
included in Solaris build 78 (Samba version 3.0.25a). I think it's
almost working, but I get an authentication prompt every time I try to
connect to samba from a windows client, and no matter what I enter I
can't authenticate to see the shares. 
The main documentation I've been using is Sun's guide to setting up
Samba:  http://dlc.sun.com/pdf/819-3063/819-3063.pdf, but I've also been
referring to the official How-To.
I'm trying to join Samba to my windows domain as a member server using
ADS.  I've read and re-read all the documentation I can find over the
last couple of days but I've no idea now where I've gone wrong.  What
*is* working is the following:

- Kerberos seems fine. "klist" shows a valid ticket, and "kinit
<mailto:user at REALM> user at REALM <mailto:user at REALM.COM> .COM"
authenticates ok.
- The samba machine account in Active Directory created fine when I used
the "net ... ADS JOIN ..." command.
- From Solaris I can list Active Directory users and groups with "wbinfo
-u" and "wbinfo -g".
- From Solaris, smbclient works anonymously and can list the shares on
both Samba and our windows servers with "smbclient -N -L computer".
However, any attempt by a windows client to view shares on the Solaris
server returns Access denied, followed by a password prompt, and on
Solaris, smbclient returns NT_STATUS_LOGON_FAILURE if I try to
authenticate with any username.  I suspect the problem is linked to the
fact that "getent passwd" and "getent group" just return the Solaris
users and groups, whereas the documentation states that they should
include the Active Directory accounts too.
One other thing that might be wrong is that in all the examples I've
seen online, "wbinfo -u" returns users in the form DOMAIN\user. However,
in our case it simply lists the usernames, no domain is included.
Searching on google, I've found a few people reporting identical
problems, so I'm guessing whatever I've done it's a fairly basic
mistake, but I haven't found any solution to this. Can anybody help out?

This is my first time posting, I've attached the smb.conf and krb5.conf
files but I'm not sure if they will be visible, please let me know if I
need to copy/paste them into a message instead.
Ross Smith 
Network Manager 
Robinson Construction
http://www.robinsons.com <http://www.robinsons.com/> 

The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Robinson Construction.  If you have received this transmission in error please advise the originator, or contact IT at robinsons.com.

This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. No responsibility is accepted for any virus or defect that might arise from opening this e-mail or attachment, whether or not it has been checked by anti-virus software. For further information visit www.clearswift.com.

Thank you for your co-operation.

Robinson Construction

S. Robinson & Sons (Engineers) Limited is a limited company registered in England.  Registration no:  823781
Registered office:  S. Robinson & Sons (Engineers) Limited, Wincanton Close, Ascot Drive, Derby, DE24 8NJ

More information about the samba mailing list